Windows 10 Script Error

Hi. I've been workin with Kestrel in the Malware forum (malware Chinese characters thread). Had to access safe mode to run Roguekiller and did it through msconfig
Ran the fix file provided and now I seem to be getting the following error when I try and log in.

Error message says Windows Script Host. Can not find script file c:\windows\run.vbs

I am still in safe mode.

 

You can try sfc /scannow from an administrator command prompt
https://support.microsoft.com/en-gb/kb/929833

 

Sounds like that was one of the infectors and it's been removed, does it show up in MSConfig > Startup?

If not, you'll need to use something like Autoruns to track it down (from Safe Mode with Networking?).

I'll have a dig around your Malware topic for more clues, if I can stay awake ^^

 

@Major Dilemma: can you trace anything else that ties into the date/time of that script in the logs (2016-01-27 18:50), please? My brain's hurting after only going through 4 files!

 

Boot the PC into normal mode. Are you still having to run Explorer.exe to access the desktop and files?

 

OK. Windows 10. Should I boot into normal via msconfig?

 

OK. So the plan is this
Get into msconfig from the explorer way? And do. What?

 

I'm seeing dates from ~22-01-16, userinit being the trigger point of the scans that show it, FR, PT, RU as well as English speakers so pretty widespread.

I can see a case ongoing where I'm on staff, I've just subscribed to it.

Bluesbreaker, list all the Startups in MSConfig - but I'm unsure that you'd see it with that tool, Autoruns would stand a better chance, under the Logon tab, look for the HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit entry and copy the data from the line below (mine reads: C:\Windows\system32\userinit.exe Userinit Logon Application (Verified) Microsoft Windows c:\windows\system32\userinit.exe 10/30/2015 2:37 AM 0/53).

EDIT: do as Dr M says first, report back on any issues seen.

 

@ satrow

I'm certain the problem is with that Userinit entry and that the reg fix was incorrectly typed out.
If Blues can boot into Normal Mode and launch Explorer.exe then they should be able to access this site and obtain the correct fix.

 

OK. I am not a tech but what are my next steps? Boot into what?

 

Go into msconfig and from the General tab select 'Normal startup' then click OK.
Reboot the PC and at login (where you get the script error) run Explorer.exe as you've previously done.
Then launch a browser and see if you can access MajorGeeks. If you can access MGs, login to MGs on the problem PC.

 

_nullptr: It might be that something else has changed, the method most likely used was the standard one that's been used for years, I'd guess.

I've not checked all OS details for the current batch but it could be that something like a recent change to W10's SIH is triggering a block/reversal during boot.

 

OK gonna try and get into normal

 

However. Before I do anything, I I have a restore point should i do this?

 

No, just try booting into Normal mode.

 

Hi all - just letting you know that I am now exited from safe mode and am in normal mode and am posting here. However, I still got the c:\windows\run.vbs error. I have to step out shortly, but I am part way there. at least I'm in...

thanks for all your help on this everyone.

 

Also, I am still having to access the desktop and files via ctrl shift escape and running Explorer.

 

Try to follow my earlier suggestion of using Autoruns now.

 

Download the attached registry fix, unzip and double click to merge. If the merge is successful then reboot the machine and
let me know how things are running.

 

OK. Thanks does it have to be saved to the desktop or Windows directory?

 

Save it to the desktop.

 

OK thank you I will tonight or in am.

 

sorry for the delay all, I'm sure you've been waiting with baited breath as to the result ...which was unsuccessful. by that, I mean, I still get the script host error cannot find c:\WINDOWS\\run.vbs

I'm still in normal mode, still accessing desktop via ctrl alt escape.

thanks for your continued help on this.

 

Download SystemLook to your desktop.
Double click to launch it.
Paste the content of the following code box into SystemLook's edit window, then press Look.

Code:

:regfind
run.vbs

When it has finished running, a log file SystemLook.txt will be created.
Post the content of the log file.

 

ok will do. I forgot to mention that I did get an alert advising that the keys and value in the userinit.reg were added successfully. I'll run this tonight.

thanks again you geeks.

 

ok here's system log

I mean system look...

 

I think it's possible that Baidu's HIPS is blocking the restoration of the Userinit entry. All I can suggest is to boot into safe mode and run the Userinit.reg fix.
If that doesn't work I'd suggest resuming your thread in the malware forum.

 

An alternative 'blocker' might be W10's SIH policy/scanner, I've yet to see exactly what that little box of tricks is fully capable of.

The other ongoing topic I was watching seems to have ended up in the same state as well.

 

ok so _nullptr, what we're saying is that there is a malware, BAIDU, that could be causing this block. if I run this in safe mode and it doesn't work, the plan is to go back to the Malware forum in safe mode or in normal mode and get the BAIDU virus eliminated, then come back and get rerun Userinit.reg fix OR do I start up a new thread once I crush BAIDU?

 

Baidu is security software that you have installed. I'd recommend resuming your malware thread regardless of whether running userinit.reg works from safe mode.

 

Not me. Didn't install any of that. Does it say when? Maybe that explains all the Chinese pop-ups, desktop apps and little Taskbar things that prompted me to post on the Malware thread.

 

From the list of running processes in your FRST log:

Code:

C:\Program Files (x86)\Common Files\Baidu\BaiduHips\1.2.0.892\BaiduHips.exe
C:\Program Files (x86)\Baidu\BaiduAn\4.0.0.8029\BaiduAnSvc.exe
C:\Program Files (x86)\Baidu\BaiduAn\4.0.0.8029\BaiduAnTray.exe
C:\Program Files (x86)\Baidu\BaiduAn\4.0.0.8029\BDALeakfixer.exe

There also a Baidu BHO that runs with Internet Explorer.

Is there is Baidu listing in Control Panel -> Programs and Features?

 

According to MGLogs there should be 2 listings.

Code:

"UninstallString"="C:\\Program Files (x86)\\Baidu\\BrowserProtect\\4.0.2.205\\uninst.exe"
"UninstallString"="C:\\Program Files (x86)\\Baidu\\BaiduAn\\4.0.0.8029\\uninst.exe"

 

I will check in the am. This appears to be part of my problem then? I didn't install this thing..not knowingly at least

 

It seems that Baidu, Tencent and other junk appeared on the PC on 30/31 of January.

 

And around the time I had issues start. I will do these steps and get this crap fixed in the malware forum. Thanks _nullptr